All Dashboards includes filters that you can use in Interactive Mode for further analysis of your Threat Intel data.

The Sumo Logic Threat Intel lookup database is only available with Sumo Logic Enterprise and Professions accounts, or during a 30-day trial period. The Threat Intel lookup database is not available for Sumo Logic Free accounts.

Install the Sumo Logic App

Now that you have set up collection, install the Sumo Logic App for Threat Intel for AWS to use the preconfigured searches and Dashboards that provide insight into your data.

To install the app, do the following:

Locate and install the app you need from the App Catalog. If you want to see a preview of the dashboards included with the app before installing, click Preview Dashboards.

From the App Catalog, search for and select the app.

To install the app, click Add to Library and complete the following fields.

App Name. You can retain the existing name, or enter a name of your choice for the app.

Advanced. Select the Location in Library (the default is the Personal folder in the library), or click New Folder to add a new folder.

Click Add to Library.

Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization.

Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps.

Dashboards

All Dashboards includes filters that you can use in Interactive Mode for further analysis of your Threat Intel data.

Threat Intel - Overview

Welcome to Threat Intel for AWS. See an informational panel to help you get started with Threat Intel. You can close this panel once you’ve read the text and visited the FAQs.

Scanned Events Over Time. See the number of events scanned while looking for threats during the last 24 hours, broken down by source type.

CloudTrail. Count of threats detected in CloudTrail logs for the last 24 hours. Click this panel to drill down further on threats identified for Cloud Trail and you’ll be taken to the Threat Intel - AWS CloudTrail dashboard.

VPC. Count of threats detected in VPC Flow logs for the last 24 hours. Click this panel to drill down further on threats identified for VPC Flow Logs and you’ll be taken to the Threat Intel - AWS VPC dashboard.

ELB. Count of threats detected in ELB logs for the last 24 hours. Count of threats detected in ELB for the last 24 hours. Click this panel to drill down further on threats identified for VPC and you’ll be taken to the Threat Intel - AWS ELB dashboard.

Threats over Time - CloudTrail. Count of threats to Cloud Trail over the last 24 hours timesliced by hour to give you a trend of threats identified over time.

Threats over Time - VPC. Count of threats to VPC Flow logs over the last 24 hours timesliced by hour to give you a trend of threats identified over time

Threats over Time - ELB. Count of threats to ELB over the last 24 hours timesliced by hour to give you a trend of threats identified over time.

Threat Outlier - CloudTrail. See any time when the count of threats with a malicious confidence of High to Cloud Trail goes outside the set threshold.

Threat Outlier - VPC. See any time when the count of threats with a malicious confidence of High to VPC FLow Logs goes outside the set threshold.

Threat Outlier - ELB - Classic. See any time when the count of threats with a malicious confidence of High to ELB goes outside the set threshold.

Threat Intel - AWS CloudTrail

Use this dashboard for details on potential threats and IOCs for AWS CloudTrail.

Threats by Geo Location. View the geo location of threats by IP address that have been identified by Crowdstrike with a malicious confidence of High over the last 24 hours.

Top 10 Threat Sources by Action. View a barchart of the top ten threat sources by source IP address, action and count over the last 24 hours.

Threat Breakdown. View a bar chart of threats over the last 24 hours by count, actor, and action

Threats Over Time by Action. View a trend over the last 24 hours of accepted and rejected threats.

Threat Intel - AWS Elastic Load Balancing

Use this dashboard for details on potential threats and IOCs for Elastic Load Balancing.

Threats by Geo Location. View the latest threats identified the geo location of their by source IP address.

Threats Associated with Client IP. View an aggregation table of threats by client IP with a malicious confidence of High that contains the ELB server, ELB status code, full request, source IP, source port, back end host, destination port, malicious confidence, label name, threat malware families, and threat last updated.

Client IP threats by ELB Server. View threats by client IP with a malicious confidence of High by ELB Server.

Threats By Actor. View a count of total threats with a malicious confidence fo High for the last 24 hours, broken up by Actor.

Client IP Threats Over Time by ELB Server. View a line chart of the threats by client IP address with high malicious confidence over the last 24 hours.

Threats Associated with Hostname. View an aggregation table of threats by hostname with a malicious confidence of High that contains the ELB server, ELB status code, full request, host name, source port, back end host, destination port, malicious confidence, label name, threat malware families, and threat last updated over the last 24 hours.

Threats Associated with URL (Request). View threats by URL where the malicious confidence is high over the last 24 hours.